{ config, lib, ... }:
let
  cfg = import ./vars.nix;
  dbport = cfg.authentik.dbPort;
  domain = cfg.authentik.domain;
  redis = "6379";
  port = cfg.authentik.port;
  version = cfg.authentik.version;
  authentikEnvironment = {
    TZ = "Europe/Berlin";
    AUTHENTIK_REDIS__HOST = cfg.podman.hostIP;
    AUTHENTIK_POSTGRESQL__HOST = cfg.podman.hostIP;
    AUTHENTIK_POSTGRESQL__PORT = dbport;
    AUTHENTIK_POSTGRESQL__NAME = "authentik";
    AUTHENTIK_POSTGRESQL__USER = "authentik";
    AUTHENTIK_POSTGRESQL__PASSWORD = "file://${config.sops.secrets."authentik/db".path}";
    AUTHENTIK_SECRET_KEY = "file://${config.sops.secrets."authentik/secret".path}";
    AUTHENTIK_EMAIL__HOST = cfg.mail.host;
    AUTHENTIK_EMAIL__PORT = cfg.mail.port;
    AUTHENTIK_EMAIL__USE_TLS = "true";
    AUTHENTIK_EMAIL__FROM = "Authentik <authentik@mc-fucker.cool>";
  };
in
{
  imports = [
    ./podman-postgresql.nix # for the database
    ./nginx.nix             # for the webserver
  ];

  sops.secrets."authentik/db" = {
    owner = "mc-fucker"; # unfortunately, the UID of the container process can't
    group = "nogroup";   # be changed, so it needs to be this user
  };
  sops.secrets."authentik/secret" = {
    owner = "mc-fucker";
    group = "nogroup";
  };

  services.podman-postgresql."authentik" = {
    enable = true;
    image = "docker.io/library/postgres:15-alpine";
    port = (lib.strings.toInt dbport);
    passwordFile = config.sops.secrets."authentik/db".path;
  };


  virtualisation.oci-containers.containers.redis = {
    image = "docker.io/library/redis:alpine";
    extraOptions = cfg.podman.extraOptions;
    cmd = [ "--save 60 1" ];
    volumes = [
      "/var/lib/redis:/data"
    ];
    ports = [ "${redis}:${redis}" ];
    environment = {
      TZ = "Europe/Berlin";
    };
  };

  virtualisation.oci-containers.containers.authentik-server = {
    image = "ghcr.io/goauthentik/server:${version}";
    extraOptions = cfg.podman.extraOptions;
    cmd = [ "server" ];
    dependsOn = [
      "postgresql-authentik"
      "redis"
    ];
    volumes = [
      "/var/lib/authentik/media:/media"
      "/var/lib/authentik/templates:/templates"
      "${config.sops.secrets."authentik/db".path}:${config.sops.secrets."authentik/db".path}"
      "${config.sops.secrets."authentik/secret".path}:${config.sops.secrets."authentik/secret".path}"
    ];
    ports = [ "${port}:${port}" ];
    environment = authentikEnvironment;
  };

  virtualisation.oci-containers.containers.authentik-worker = {
    image = "ghcr.io/goauthentik/server:${version}";
    extraOptions = cfg.podman.extraOptions;
    cmd = [ "worker" ];
    dependsOn = [
      "postgresql-authentik"
      "redis"
    ];
    volumes = [
      "/var/lib/authentik/media:/media"
      "/var/lib/authentik/templates:/templates"
      "${config.sops.secrets."authentik/db".path}:${config.sops.secrets."authentik/db".path}"
      "${config.sops.secrets."authentik/secret".path}:${config.sops.secrets."authentik/secret".path}"
    ];
    environment = authentikEnvironment;
  };


  services.nginx = {

    upstreams.authentik = {
      servers."localhost:${port}" = {};
    };

    appendHttpConfig = ''
      map $http_upgrade $connection_upgrade_keepalive {
        default upgrade;
        '''      ''';
      }
    '';

    virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://authentik";
        extraConfig = ''
          proxy_http_version 1.1;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade_keepalive;
        '';
      };

      extraConfig = ''
        access_log  /var/log/nginx/${domain}_access.log;
        error_log   /var/log/nginx/${domain}_error.log;
      '';
    };
  };

}
# vim: set et ts=2 sw=2 ai: